3 matches found
CVE-2024-4217
The shortcodes-ultimate-pro WordPress plugin before 7.1.5 does not properly escape some of its shortcodes' settings, making it possible for attackers with a Contributor account to conduct Stored XSS attacks...
Spiffy Calendar < 4.9.9 - Broken Access Control
Description The plugin doesn't check the eventauthor parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+. Using a Contributor+ account and a proxy interceptor such as Burp Suite, create an event. Change the...
GetPaid < 2.3.4 - Authenticated Stored XSS
In the plugin, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is...